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METHOD AND SYSTEM FOR PRODUCING WISE CARDS 


BACKGROUND OF THE INVENTION 

Field of the Invention 

The present invention generally relates to producing hard-to-imitate "smart cards" (e.g., 
so-called "wise cards"), and to producing smart cards whose clones would be of limited value, as 
would be tampering with the card. 

Description of the Related Art 

Smart cards have been proposed as a technology offering the possibility of secure off-line 
transactions. However, recently, several successful attacks on conventional smart cards have 
been reported (e.g., see R. Anderson, M. Kuhn; "Tamper Resistance — A Cautionary Note." The 
Second USENIX Workshop on Electronic Commerce. November 1996, R. Anderson, M. Kuhn; 
"Low Cost Attacks on Tamper Resistant Devices." Preprint. 1997, and P. Kocher, J. Jaffe and B. 
Jun; "Introduction to Differential Power Analysis and Related Attacks" Manuscript, 
Cryptography Research, Inc. 1998.). 

One such reported attack allows cracking of the digital code which is supposed to 
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warranty the security of the card, by inferring conclusions of the code from observations of 
electrical currents, power consumption, and other electromagnetic manifestations in the card 
during use. Other low-cost attacks are similarly known on current smart card technology. 

This has generated much publicity and some skepticism on the part of users. For 
example, the attack mounted by Paul Kocher of Cryptography Research was made very well- 
known to the public by the publication of a paper by Peter Wayner on this attack on pages D1-D2 
of the New York Times of Monday, June 22, 1998. 

Given the benefits that banks, credit card companies, and other users were expecting from 
a wide acceptance of the security offered by smart cards, it is important to be able to overcome 
the lack of security (both real and perceived) offered by present smart card technology. 

Indeed, several improvements of the original design have been proposed (and this process 
may continue in the future). However, since the above-described, successfully mounted attack 
only needs some of the electrical analysis and possibly the physical attacks one could perform on 
smart cards, the desired level of confidence is not likely to be restored so long as solutions only 
advance the original (and conventional) idea of enclosing all of the security in the card. 

It is noted that by using, for example, some zero-knowledge protocol, a smart card can be 
authenticated but, reputedly, cannot be duplicated. A general reference to smart card technology 
and applications can be found in "Smart Cards: A Guide to Building and Managing Smart Card 
Applications," by Henry Dreifus and J. Thomas Monk, John Wiley & Sons , 1998. It is noted, 
that, in the rest of the present disclosure, any electronic component using such technology and 
jwhich has some memories and/or some processing capabilities, will be called "a smart 
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component" or "a chip" or "a smart card", even if it does not actually take any form resembling a 
card. 

One of the main virtues attributed to smart cards is that some transactions based on smart 
cards, such as payments and authentication, can be performed using the smart card, without 
connection to a database. Of course, this freedom from a link to a database only has value as long 
as the secrets in the card resist attacks. One can try to modify the smart card technology so as to 
reach a level of security considered sufficient. Such an approach is taken for example in U.S. 
Patent Application No. 09/397,503 entitled "METHOD AND APPARATUS FOR PRODUCING 
DUPLICATION- AND IMITATION-RESISTANT IDENTIFYING MARKS ON OBJECTS, 
AND DUPLICATION- AND IMITATION-RESISTANT OBJECTS" by N. Amer et al, assigned 
to the present assignee and incorporated herein by reference. That approach requires a smart 
card reader with quite different characteristics than those of present smart card readers. 

Another approach, used in the present invention, sacrifices part of the full off-line 
usability of smart cards to insure accrued security. 

Thus, improvements in the security of smart cards are surely useful, but some radically 
new approaches must be used. One approach may include ensuring the physical security of the 
card, but this might not be enough to prevent producing huge amounts of false smart cards once 
one of them has been successfully attacked. 

Hence, in conventional cards, counterfeiting/duplication is not rendered difficult since 
confidential information is carried on the card and an unscrupulous person may find the 
jnformatipn simply by looking at/reading the energy construction inside of the card. That is, with 
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a plurality of readings of the card, the information held within the card can be easily detected. 
However, no conventional method (and system) has addressed such problems. 

SUMMARY OF THE INVENTION 

In view of the foregoing and other problems of the conventional methods and systems, an 
object of the present invention is to provide a method (and system) in which counterfeiting and 
cloning of smart cards is made more difficult and/or less profitable. 

In a first aspect of the present invention, a method (and system) is provided which is 
based on cryptography with the cryptographic structure/key not being carried on the smart card. 

More specifically, the smart-card-type of security, often all carried on the card itself, is 
complemented in the present invention by extra protection depending on cryptography, with the 
cryptographic structure (e.g., a key) not being carried by the card and which cannot be accessed 
completely by a predetermined small number of readings, and in fact the cryptographic structure 
can only be built by whoever emits the card or the agent thereof. 

This principle prevents the creating of false cards different from the legitimate ones, but 
does not prevent the fabrication of as many clones one wishes of a given legitimate smart card. 
Thus, the invention also provides a mechanism of protection designed to prevent and/or 
discourage both copying and creation of new cards. 

Thus, the present invention provides a new implementation of smart cards and provides 
the_readers whichcan be used in combination with such smart cards. These cards necessitate 
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more connections to a data base than typical, conventional smart cards, but far less than credit 
cards. 

Such smart cards are particularly well-adapted to use in electronic business (e.g., 
"e-business") since online transactions are taking place anyhow. Further, such smart cards are 
designed so that an evil merchant cannot acquire the information needed to fabricate clones of 
the card from a reading (nor from a few readings) of the smart card. Moreover, a counterfeiter 
can only get limited benefit from tampering with the card, and cannot imitate a legitimate card to 
create different ones, while cloning has limited value as online controls are performed on 
occasion. 

The card (or other carrier of the overall system, but herein the word card will be used for 
definiteness) will carry some chosen type of chip. In that chip, there will be determined N 
channels (e.g., CI, C2,..., CN, where N is for example on the order of 100 (but will be easier to 
augment as technology progresses)). 

Each channel Ci, with i in 1,2,...,N, carries a pair of numbers (hi, li) (e.g., for definiteness, 
hi is the i th high number, and li is the i th low number). Both low and high numbers are about 1 024 
bits long (and more as technology progresses, as would be evident to one or ordinary skill in the 
art; that is, more bits provide greater security). More specifically, this number of bits corresponds 
to secure use of the Ri vest- Shamir- Adleman (RSA) protocol at the time of writing. Other 
methods also can be used such as elliptic curve-sallow for secure use of smaller numbers of bits 
(e.g., see "Handbook of Applied Cryptography" , by Alfred J. Menezes, Paul C. van Oorschot and 
Scott A. Vanstone, CRC Press, 1997). 
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Public key cryptography with associated distinct encoding and decoding functions Vi and 
Vi' 1 are used in each channel i. As is well known (e.g., see "Handbook of Applied 
Cryptography", by Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone, CRC Press, 
1997), each function Vi" 1 is known publicly, but Vi is known only to some party called the owner 
5 and is secret in the sense that it is considered computationally infeasible to determine it from Vi' 1 . 
For each i in 1, 2 N, the pair (hi, li) is such that hi = Vi(li), or 
hi = Vi(K(li)) where K represents some publicly-known cryptographic hash function, as 
described, for example, in the aforementioned book by Menezes et al. Each li contains several 
W symbols for redundancy, which may for example carry a specific mark of whoever emits the 

! 310 cards. Furthermore, an invertible function f is chosen and made public, and the low numbers in a 
card satisfy l(i+j) = £(li), where f" stands for the j th iterate of the function f. 

The reader is preferably equipped with a random number generator, which, when a card is 
P read, chooses a pair (a, b) of distinct numbers with a < b between 1 and N. Before processing the 

;:f chip as usual, the reader obtains the pair (ha, la) as well as hb (e.g., since a and b are known by 

" "15 the reader as well as the function f, the reader can compute lb from a,b, and la by computing 

lb=f^ b " a \la)). Using the public keys Va" 1 and Vb" 1 , the reader can check whether the pairs (ha, la) 
and (hb, lb) are compatible, and, consequently, that the numbers ha, la, and hb belong to the same 
legitimate card. 

Since the reader only obtains the content of two channels, an evil merchant cannot build a 
20 believably true counterfeited card by combining this information with the secrets which might 
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have been obtained about the chip using a smart card attack as described previously. 

The entire process can be performed off-line as it is based on public key cryptography. 
The only danger is the card which has been cloned or re-provisioned with money fraudulently by 
someone having discovered the intrinsic secret of the chip. 

To combat this danger, periodically (e.g., daily, weekly, randomly, etc. depending upon 
the designer's constraints and requirements), the smart card reader preferably communicates with 
a data base where the amount extracted from a given card is checked. If a card is detected as 
delivering too much money (e.g., more than would be reasonably authorized), the data base 
communicates the corresponding 11 to all readers in the network, which may be worldwide, so 
that the cards carrying that number will be declined in the future. 

Thus, far less dependence on the network is required according to the present invention, 
than what is necessary to process credit cards. That is, credit card processing requires an on-line 
processing in which the customer presents the card to the merchant and the merchant passes the 
card through a reader and connects to the bank or other issuing authority for authorization to 
complete the transaction. 

Thus, credit card processing is significantly more burdensome than the processing of the 
present invention. In some applications, one may change the cryptographic structure/keys every 
so often and invalidate cards after some time of usage so that limited data bases must be kept in 
all readers of the network. 

Clearly, the marginal cost per transaction is much lower for banks using the present 
invention than for credit cards. Further, while the price is higher than for original format smart 
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cards (e.g., for purposes of the present application, "original format smart cards" are defined as 
conventional smart cards having the confidential information/secrets on the card), the level of 
security is much higher, and the huge danger of having all the secrets in the card has been 
avoided. This new format of card is particularly well adapted for e-commerce, since the liability 
of having to be on line is cost-free as all operations are performed on-line anyhow. 

In the context of electronic commerce, the advantage of the present invention over credit 
cards is the higher level of both security for both parties of the transaction and the privacy of the 
customer. Finally, as alluded to above, the transactions are performed essentially and 
substantially off-line. 

BRIEF DESCRIPTION OF THE DRAWINGS 

The foregoing and other objects, aspects and advantages will be better understood from 
the following detailed description of a preferred embodiment of the invention with reference to 
the drawings, in which: 

Figure 1 is a flow diagram describing how to generate the pairs (hi, li) according to the 
present invention; 

Figure 2A is a flow diagram showing the process of verifying that a card is authentic, or 
at worst an exact clone of an authentic card, and checking if the card is not in the list of cards to 
be refused; 

Figure 2B is a flowchart showing the steps corresponding to the flow of Figure 2 A; 
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Figure 3 illustrates an exemplary information handling/computer system for use with the 
present invention; and 

Figure 4 illustrates a storage medium 400 for storing steps of the program for the process 
of verifying according to the present invention. 


DETAILED DESCRIPTION OF A PREFERRED 
EMBODIMENT OF THE INVENTION 

Referring now to the drawings, and more particularly to Figures 1-4, a preferred 
embodiment of the present invention will be described below. 

Figure 1 illustrates a flow diagram of a process of building the pairs (hi,li) to be written in 
the chip. A prefix 101 of 11 can be chosen once and for all, or changed whenever needed. This 
prefix must be publicly known, and serves to prevent forming apparently legitimate pairs by use 
of the public part of the encryption method. 

The prefix 101 is followed by a relatively long sequence 102, which may be generated by 
any method chosen by the card emitter, so that the same number is not chosen twice, and also so 
that the corresponding other li's are not chosen as new lis. Preferably, the sequence 102 is 
preferably 1024 bits or more. With the more bits provided, the more security is provided. If the 
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card is accessed and read frequently (e.g., several times per minute, etc.), more bits would be 
preferred, whereas if the card was designed to be accessed only infrequently, then less bits would 
be required for desired security. 

The concatenation on 101 and 102 forms 11 at 103. Then, a function f which is invertible 
and will be publicly known is chosen, and one constructs 

12 = f(ll) at 104, 13 = f(12) at 105, and so forth. The function f, for example, can be chosen to be 
the identity map, in which case 11 = 12 = 13 = ...etc. 

For some number N, typically of the order of 100 or more, N public key-private key pairs 
are chosen. It is noted that, the more pairs there are, the greater the security. As mentioned 
above, if the card is used frequently, then more key pairs would be desired. The first private key 
VI at 1 13 is used to compute hi = VI (11) at 123, the second private key V2 at 1 14 is used to 
compute h2 = V2(12) at 124, and so on. 

Referring now to Figure 2, a flow diagram is shown of the process of verifying that a card 
is authentic (or at worst an exact clone of an authentic card before the intrinsic mechanism of the 
chip is used), and checking if the card is not in the list of cards to be refused. 

When the card 201 is read by the reader 202, a random generator 203 is prompted which 
gives at 204 two integer numbers a and b which are between 1 and N, with a < b. 

These numbers a, b are transmitted to the chip at 210 which delivers two high numbers at 
205 and 207, and the low number at 206 in the channel a. 

Then, the pair (a, b), together with the function f at 210 in memory 1 , at 209 in the reader, 
are used to compute the low number lb = ^ b * a)( la) at 208. Memory 2 at 220 in the reader 202 
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delivers the public keys Va" 1 at 221 and Vb" 1 at 222. 

These public keys are used at comparator 230, together with the pairs (ha, la) and (hb, lb), 
to verify that the pairs are compatible with the corresponding keys, and that the pairs are from the 
same legitimate card. At this point, it is known by the operation at the comparator 230 whether 
5 the card is legitimate, whether the card is a clone, and/or whether the card is up to an overdraft 
limit, for example, by a counterfeiter able to manipulate the chip. To limit this danger, a final 
validation is made by a validation step/device 240 after performing any or all of: 

1) contacting the central data base 250 if the entire transaction is made on-line with no 
3 penalty (e.g., in e-business transactions, for public telephone systems, etc.); and/or 

40 2) checking with the local data base 260 in the reader 202 which is refreshed periodically, 

i depending on the application, by contact between local database 260 and central database 250 

which may occur at other times than the transaction. 
3 While the overall methodology of the invention is described above, the invention can be 

3 embodied in any number of different types of systems and executed in any number of different 

1 5 ways, as would be known by one ordinarily skilled in the art. 

For example, as illustrated in Figure 3, a typical hardware configuration of an information 
handling/computer system for use with the invention is shown. In accordance with the invention, 
preferably the system has at least one processor or central processing unit (CPU) 3 1 1 and more 
preferably several CPUs 311. The CPUs 311 are interconnected via a system bus 3 12 to a 
20 random access memory (RAM) 3 14, read-only memory (ROM) 3 1 6, input/output (I/O) adapter 
318 (for connecting peripheral devices such as disk units 321 and tape drives 340 to the bus 312), 
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user interface adapter 322 (for connecting a keyboard 324, an input device such as a mouse, 
trackball, joystick, touch screen, etc. 326, speaker 328, microphone 332, and/or other user 
interface device to the bus 312), communication adapter 334 (for connecting the information 
handling system to a data processing network such as an intranet, the Internet 
(World- Wide- Web) etc.), and display adapter 336 (for connecting the bus 312 to a display device 
338). The display device could be a cathode ray tube (CRT), liquid crystal display (LCD), etc., 
as well as a hard-copy printer (e.g., such as digital printer). Further, a reader 342 is coupled to 
the CPU 311 via bus 312. 

In addition to the hardware/software environment described above, a different aspect of 
the invention includes a computer-implemented method for verifying a smart card and 
preventing/discouraging counterfeiting and tampering thereof. As an example, this method may 
be implemented in the particular environment discussed above. 

Such a method may be implemented, for example, by operating a computer, as embodied 
by a digital data processing apparatus, to execute a sequence of machine-readable instructions. 
These instructions may reside in various types of signal-bearing media. 

Thus, as shown in Figure 4, in addition to the hardware and process environment 
described above, a different aspect of the invention includes a computer-implemented method for 
verifying that a smart card is authentic (or at least a clone of a legitimate card), and checking 
whether the card is in the list of cards to be refused for processing, as described above. As an 
example, this method may be implemented in the particular hardware environment discussed 
above. 

YOR9-2000-0165 12 


Such a method may be implemented, for example, by operating the CPU 3 1 1 (Figure 3), 
to execute a sequence of machine-readable instructions. These instructions may reside in various 
types of signal-bearing media. 

Thus, this aspect of the present invention is directed to a programmed product, 
comprising signal-bearing media tangibly embodying a program of machine-readable instructions 
executable by a digital data processor incorporating the CPU 3 1 1 and hardware above, to 
perform the above method. 

This signal-bearing media may include, for example, a RAM (not shown in Figure 4) 
contained within the CPU 3 1 1 or auxiliary thereto as in RAM 3 14, as represented by a fast- 
access storage for example. Alternatively, the instructions may be contained in another signal- 
bearing media, such as a magnetic data storage diskette 400 (e.g., as shown in Figure 4), directly 
or indirectly accessible by the CPU 311. 

Whether contained in the diskette 400, the computer/CPU 3 1 1 , or elsewhere, the 
instructions may be stored on a variety of machine-readable data storage media, such as DASD 
storage (e.g., a conventional "hard drive" or a RAID array), magnetic tape, electronic read-only 
memory (e.g., ROM, EPROM, or EEPROM), an optical storage device (e.g. CD-ROM, WORM, 
DVD, digital optical tape, etc.), paper "punch" cards, or other suitable signal-bearing media 
including transmission media such as digital and analog and communication links and wireless. 
In an illustrative embodiment of the invention, the machine-readable instructions may comprise 
software object code, compiled from a language such as "C", etc. 

Thus, with the unique and unobvious aspects of the present invention, a method (and 
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system) are provided in which counterfeiting and cloning of smart cards is made more difficult 
and/or less profitable. The method is based on cryptography with the cryptographic structure/key 
not carried on the smart card. Instead, the present invention provides extra protection depending 
on cryptography, with the key not carried by the card, and is kept secret by whoever emits the 
card or the agent thereof. Thus, the creating of false cards different from the legitimate ones, is 
prevented. 

Further, to prevent the fabrication of as many clones one wishes of a given legitimate 
smart card, the invention provides a mechanism of protection designed to prevent and/or 
discourage both copying and creation of new cards. 

Thus, the present invention provides a new implementation of smart cards and provides 
smart card readers which can be used in combination with such smart cards. In each reading, the 
reader simply reads, in a very random way, a very small portion of the secure information on the 
card. Hence, many readings of the card would be required in order to detect the energy thereon, 
and it is anticipated that after such a large plurality of readings the value of the card (e.g., the 
money value held thereon, etc.) would be exhausted. These cards necessitate more connections 
to a data base than typical, conventional smart cards, but far less than credit cards. 

Further, the smart cards do not carry confidential information thereon and the smart cards 
are difficult to duplicate/counterfeit. Indeed, there is no key at all held in the card. The card 
merely holds two related words (e.g., a pair including the suffix and the sequence) as a secret. 
Instead, the reader holds the key (e.g., the public key) therein along with a database which, as 
mentioned above, is updated periodically. The database holds information representing 
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disallowed/refused cards possible representing that the cards have been stolen, voluntarily 
discontinued by the legitimate owner, etc. 

Another key advantage of the invention is that the reading/transaction process is 
performed substantially off-line. The reader is on-line merely when it is linked to a network or 
the like for updating the contents of the database with the list of unauthorized cards, etc. 

While the invention has been described in terms of a single preferred embodiment, those 
skilled in the art will recognize that the invention can be practiced with modification within the 
spirit and scope of the appended claims. 
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